Product Documentation

Setting SSL Parameters on a Secure Monitor

Aug 31, 2016

Important

This feature is supported only on the new Default profiles. For more information about these profiles, see Enhanced SSL Profiles Infrastructure Overview.

A monitor inherits either the global settings or the settings of the service to which it is bound. If a monitor is bound to a non-SSL or non-SSL_TCP service, such as SSL_BRIDGE, you cannot configure it with SSL settings such as the protocol version or the ciphers to be used. Therefore, if your deployment requires SSL-based monitoring of the back-end servers, the monitoring is ineffective.

You can have more control over SSL-based monitoring of back-end servers, by binding an SSL profile to a monitor. An SSL profile contains SSL parameters, cipher bindings, and ECC bindings.  For example, you can set server authentication, ciphers, and protocol version in an SSL profile and bind the profile to a monitor. Note that to perform server authentication, you must also bind a CA certificate to a monitor. To perform client authentication, you must bind a client certificate to the monitor. New parameters for the "bind lb monitor" command enable you to do so.

메모

The SSL settings take effect only if you add a secure monitor. Also, the SSL profile type must be BackEnd.

Monitor Types that Support SSL Profiles

SSL profiles can be bound to the following monitor types:

  • HTTP
  • HTTP-ECV
  • TCP
  • TCP-ECV
  • HTTP-INLINE

To specify an SSL profile while adding a monitor by using the command line

At the command prompt, type:

add lb monitor <monitorName> <type> -secure  YES   –sslprofile <string>

set lb monitor <monitorName> <type> -secure YESsslprofile <string>

 

Example 복사

add ssl profile prof1 -sslProfileType  BackEnd

add lb monitor mon1 HTTP -secure  YES –sslprofile prof1

To bind a certificate-key pair to a monitor by using the command line

At the command prompt, type:

bind monitor  <monitor name> -certkeyName <string>  [(-CA  [-crlCheck ( Mandatory | Optional ) | -ocspCheck ( Mandatory | Optional )]